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Abstract. Separation logic is a recent extension of Hoare logic for reasoning about pro- 
grams with references to shared mutable data structures. In this paper, we provide a new 
interpretation of the logic for a programming language with higher types. Our interpreta- 
tion is based on Reynolds's relational parametricity, and it provides a formal connection 
between separation logic and data abstraction. 



1. Introduction 

Separation logic [THl [T31 [7] is a Hoare-style program logic, and variants of it have been 
applied to prove correct interesting pointer algorithms such as copying a dag, disposing 
a graph, the Schorr- Waite graph algorithm, and Cheney's copying garbage collector. The 
main advantage of separation logic compared to ordinary Hoare logic is that it facilitates 
local reasoning, formalized via the so-called frame rule using a connective called separating 
conjunction. The development of separation logic initially focused on low-level languages 
with heaps and pointers, although in recent work [141 [8] it was shown how to extend 
separation logic first to languages with a simple kind of procedures [H] and then to languages 
also with higher- types [8j. Moreover, in a second-order frame rule was proved sound 
and in [8j a whole range of higher-order frame rules were proved sound for a separation-logic 
type system. 

In [14] and [8] it was explained how second and higher-order frame rules can be used 
to reason about static imperative modules. The idea is roughly as follows. Suppose that 
we prove a specification for a client c, depending on a module k, 

{Pi}k{Qi} h {P}c{k){Q}. 

The proof of the client depends only on the "abstract specification" of the module, which 
describes the external behavior of k. Suppose further that an actual implementation m of 
the module satisfies 

{Pi */}m{Qi */}. 
1998 ACM Subject Classification: F.3, D.3. 
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inito(i) ^ c.next := i 



initi(i) = let t) = i. data in 
i.data := —v; 
c.next := i 



inco = let i = c.next in reado 
let V = i.data in 
z.data := v+l 

inci = let i = c.next in readi 
let V = i.data in 
z.data := v—1 



let i = c.next in 
let V = i.data in 
5. data := v 

let i = c.next in 
let V = i.data in 
g.data := —v 



Figure 1: Counter Modules 

Here / is the internal resource invariant of the module m, describing the internal heap 
storage used by the module to implement the abstract specification. We can then employ 
a (higher-order) frame rule on the specification for the client to get 

{Pi*I}k{Qi*I} h {P*I}c{k){Q*I}, 

and combine it with the specification for m to obtain 

{P*/}c(m) {Q*I}. 

A key advantage of this approach to modularity is that it facilitates so-called "ownership 
transfer." For example, if the module is a queue, then the ownership of cells transfers from 
the client to module upon insertion into the queue. Moreover, the discipline allows clients 
to maintain pointers into cells that have changed ownership to the module. See [Hj for 
examples and more explanations of these facts. 

Note that the higher-order frame rules in essence provide implicit quantification over 
internal resource invariants. In [5] it is shown how one can employ a higher-order version 
of separation logic, with explicit quantification of assertion predicates to reason about dy- 
namic modularity (where there can be several instances of the same abstract data type 
implemented by an imperative module), see also [15]. The idea is to existentially quantify 
over the internal resource invariants in a module, so that in the above example, c would 
depend on a specification for k of the form 

31. {Pi*I}k{Qi*I}. 

As emphasized in the papers mentioned above, note that, both in the case of implicit quan- 
tification over internal resource invariants (higher-order frame rules) and in the case of ex- 
plicit quantification over internal resource invariants (existentials over assertion predicates), 
reasoning about a client does not depend on the internal resource invariant of possible mod- 
ule implementations. Thus the methodology allows us to formally reason about mutable 
abstract data types, aka. imperative modules. 

However, the semantic models in the papers mentioned above do not allow us to make 
all the conclusions we would expect from reasoning about mutable abstract data types. In 
particular, we would expect that clients should behave parametrically in the internal re- 
source invariants: When a client is applied to two different implementations of a mutable 
abstract data type, it should be the case that the client preserves relations between the in- 
ternal resource invariants of the two implementations. This is analogous to Reynolds's style 
relational parametricity for abstract data types with quantification over type variables [17] . 
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To understand this issue more clearly, consider the two implementations of a counter 
in Figure [TJ A counter has three operations: init(f) for initializing the counter, and inc 
and read for increasing and reading the value of the counter. In the first implementation, 
inito(«) takes a heap cell i containing an initial value for the counter, and stores its address 
i in the internal variable c, thereby setting the value of the counter to the contents of i. 
The intention is that when a client program calls this initialization routine with cell i, it 
should transfer the ownership of the cell to the counter - it should not dereference the 
cell after calling inito(i). The operation inco increases the value of the transferred cell i, 
and reado returns the value of cell i, by storing it in a pre-determined global variable g. 
The second implementation is almost identical to the first, except that the value of the 
counter is negated. Thus, when R is the relation that relates a heap containing cell i and 
variable c with the same heap with the value of cell i negated, all operations of these two 
implementations preserve this relation R. 

Now suppose that we are given a client program of the form 

let i=new in(i.data:=n; init(i); 6(inc, read)) 

whose body b satisfies the following specification in separation logic: 

{emp} inc {emp}, {g -} read {g -} h {P} 6(inc, read) {Q} 

for some P, Q that do not mention cell i. We expect that the body b of the client preserves 
the relation R of the two implementations, and that the client cannot detect the difference 
between the two. Our expectation is based on the specification for b, which says that the 
triple {P} 6(inc, read) {Q} can be proved in separation logic, assuming only the "abstract 
specification" of the inc and read operations, where all the internal resources of the module, 
such as cell i, are hidden. This provability should prevent b from accessing the internal 
resources of a counter directly and thus detecting the difference between the two implemen- 
tations. However, none of the existing models of separation logic can justify our expectation 
on the client program above. 

In this paper we provide a new parametric model of separation logic, which captures 
that clients behave parametrically in internal resource invariants of mutable abstract data 
types. For instance, our model shows that 5(inc, read) preserves the relation R, and thus it 
behaves in the same way no matter whether we use the first or second implementation of a 
counter. In the present paper, we will focus on the implicit approach to quantification over 
internal resource invariants via higher-order frame rules, since it is technically simpler than 
the explicit approach^! 

Our new model of separation logic is based on two novel ideas. The first is to read 
specifications in separation logic as relations between two programs. For instance, in our 
model, the Hoare triple {P} 6(inc, read) {Q} describes a relationship between two instanti- 
ations |6(inc, read)]^o and [6(inc, read)]^^ of the client's body b by environments rjo and r/i. 
Intuitively, environment rji defines an implementation of module operations inc and read, so 
[6(inc, read)]^- means b is linked with the implementation r/j(inc) and ryj(read). Note that 
when used with appropriate 770)^i (i-e-, that maps inc and read to the meaning of inc, 
and readj), the triple expresses how 6(inco, reado) is related to 6(inci, readi). 

"'^The reason is that the imphcit quantification of separation logic uses quantification in a very disciphned 
way so that the usual reading of assertions as sets of heaps can be maintained; if we use quantification 
without any restrictions, as in [3], it appears that we cannot have the usual reading of assertions as sets of 
heaps because, then, the rule of consequence is not sound. 
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The second idea is to parameterize the interpretation by relations on heaps. Mathemat- 
ically, this means that the interpretation uses a Kripke structure that consists of relations 
on heaps. The relation parameter describes how the internal resource invariants of two mod- 
ules are related, and it lets us express the preservation of this relation by client programs. 
In our counter example, an appropriate parameter is the relation R above. When the triple 
{P} 6(inc, read) {Q} is interpreted with R (and Tji corresponding to inQ,readj), it says, in 
particular, that 6(inco, readg) and 5(inci, readi) should preserve the relation R between the 
internal resources of the two implementations of a counter. 

1.1. Related Work. Technically, it has proven to be a very non-trivial problem to define 
a parametric model for separation logic. One of the main technical challenges in developing 
a relationally parametric model of separation logic, even for a simple first-order language, is 
that the standard models of separation logic allow the identity of locations to be observed 
in the model. This means in particular that allocation of new heap cells is not parametric 
because the identity of the location of the allocated cell can be observed in the model. (We 
made this observation in earlier unpublished joint work with Noah Torp-Smith, see [20^ 
Ch. 6].) 

This problem of non-parametric memory allocation has also been noticed by recent work 
on data refinement for heap storage, which exploits semantic ideas from separation logic 
|10l lllj . However, the work on data refinement does not provide a satisfactory solution. 
Either it avoids the problem by assuming that clients do not allocate cells |10] . or its 
solution has difficulties for handling higher-order procedures and formalizing (observational) 
equivalences, not refinements, between two implementations of a mutable abstract data type 

Our solution to this challenge is to define a more refined semantics of the programming 
language using FM domain theory, in the style of Benton and Leperchey |4j, in which one 
can name locations but not observe the identity of locations because of the built-in use 
of permutation of locations. Part of the trick of loc. cit. is to define the semantics in a 
continuation-passing style so that one can ensure that new locations are suitably fresh with 
respect to the remainder of the computation. (See Section U] for more details.) Benton and 
Leperchey used the FM domain-theoretic model to reason about contextual equivalence 
and here we extend the approach to give a semantics of separation logic in a continuation- 
passing style. We relate this new interpretation to the standard direct-style interpretation 
of separation logic via the so-called observation closure (— )^ of a relation, see Section [71 

The other main technical challenge in developing a relationally parametric model of 
separation logic for reasoning about mutable abstract data types is to devise a model which 
validates a wide range of higher-order frame rules. Our solution to this challenge is to 
define an intuitionistic interpretation of the specification logic over a Kripke structure, 
whose ordering relation intuitively captures the framing-in of resources. Technically, the 
intuitionistic interpretation, in particular the associated Kripke monotonicity, is used to 
validate a generalized frame rule. Further, to show that the semantics of the logic does 
indeed satisfy Kripke monotonicity for the base case of triples, we interpret triples using a 
universal quantifier, which intuitively quantifies over resources that can possibly be framed 
in. In the earlier non-parametric model of higher-order frame rules for separation-logic 
typing in [8] we also made use of a Kripke structure. The difference is that in the present 
work the elements of the Kripke structure are relations on heaps rather than predicates on 
heaps because we build a relationally parametric model. 
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In earlier work, Banerjee and Naumann [T] studied relational parametricity for dynam- 
ically allocated heap objects in a Java-like language. Banerjee and Naumann made use 
of a non-trivial semantic notion of confinement to describe internal resources of a module; 
here instead we use separation logic, in particular separating conjunction and frame rules, 
to describe which resources are internal to the module. Our model directly captures that 
whenever a client has been proved correct in separation logic with respect to an abstract 
view of a module, then it does not matter how the module has been implemented internally. 
And, this holds for a higher-order language with higher-order frame rules. 

This paper is organized as follows. In Section [2] we describe the programming and 
assertion languages we consider and in Section [3] we define our version of separation logic. 
In Section U] we define the semantics of our programming language in the category of FM- 
cpos, and describe our relational interpretation of separation logic in Section [5l In Section [6] 
we present a general abstract construction that provides models of specification logic with 
higher-order frame rules and show that the semantics of the previous section is in fact a 
special case of the general construction. Section [7] relates our relational interpretation to 
the standard interpretation of separation logic, and in Section [8] we present the abstraction 
theorem that our parametric model validates. We describe examples in Section [3 and 
finally we conclude and discuss future work in Section [lOl 

An extended abstract of this paper was presented at the FOSSACS 2007 conference [9j. 
This paper includes proofs that were missing in the conference version, and describes a 
general mathematical construction that lies behind our parametric model of separation 
logic. We also include a new example that illustrates the subtleties of the problems and 
results. 

2. Programs and Assertions 

In this paper, we consider a higher-order language with immutable stack variables. The 
types and terms of the language are defined as follows: 

Types T ::= com | val — s- r | r — > r 

Expressions E ::= i\0\l\-l\E + E\ E-E 

Terms M ::= x \ Xi. M \ M E \ Xx : t. M \ M M 

I fix M I if iE=E) then M else M \M;M 

I let i=new in M \ free{E) \ let i=E.f in M \ E.f:=E (/ G {0, 1}) 

The language separates expressions E from terms M. Expressions denote heap- independent 
values, which are either the address of a heap cell or an integer. Expressions are bound to 
stack variables i, j. On the other hand, terms denote possibly heap-dependent computations, 
and they are bound to identifiers x, y. The syntax of the language ensures that expressions 
always terminate, while terms can diverge. The types are used to classify terms only, com 
denotes commands, val ^ r means functions that take an expression parameter, and r — s- r' 
denotes functions that takes a term parameter. Note that to support two different function 
types, the language includes two kinds of abstraction and application, one for expression 
parameters and the other for term parameters. We assume that term parameters are passed 
by name, and expression parameters are passed by value. 

To simplify the presentation, we take a simple storage model where each heap cell has 
only two fields and 1. Command let i=new in M allocates such a binary heap cell, binds 
the address of the cell to i, and runs M under this binding. The /'th field of this newly 
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A h ^1 A h A h ^1 A h 



A,ihi A h Ah E1+E2 Ah E1-E2 

A,i|rhM:r AlThMival^r Ah E 



A\r,x :Th X :t A \ F h Xi. M : ya\ ^ t A\rh ME:t 

A\r,x : Th M : t' A \ T h M : t' ^ t A \ T h N : t' A\Th M :t^t 



A\rh Xx:t.M :t^t' A\rh M N :t A|rh fix M:r 

Ah E Ah F A|rhM:com AlrhiVrcom 



A [ r h if (£;=F) then M else iV : com 
A|rhM:com A | F h iV : com A,i|rhM:com Ah E 



A|rHM;iV:com A | T h let i=new in M : com A | T h free(£') : com 

A, i I r h M : com Ah E ^ ^ AhRAhF 

/G{0,1} , /G{0,1} 



A I r h let i=E.f in M : com ' ' ' ' A | T h E.f := F : com 
Figure 2: Typing Rules for Expressions and Terms 

allocated cell at address i is read by let j = i.f in N and updated by i.f := E. The cell i is 
deallocated by free(i). 

The language uses typing judgments of the form A h i?( : val) and A | F h M : r, where 
A is a finite set of stack variables and F is a standard type environment for identifiers x. 
The typing rules for expressions and terms are shown in Figure [2j 

We use the standard assertions from separation logic to describe properties of the 
heap 3 

p ::= E = E \ E < E \ E ^ E,E \ emp \ P * P \ P A P \ \ 3i. P. 

The points-to predicate E 1— > Eq,Ei means that the current heap has only one cell at 
address E and that the i-th field of the cell has the value Ei. The emp predicate denotes 
the empty heap, and the separating conjunction P * Q means that the current heap can 
be split into two parts so that P holds for the one and Q holds for the other. The other 
connectives have the usual meaning from classical logic. All the missing connectives from 
classical logic are defined as usual. 

In the paper, we will use the three abbreviations {E -), {E ^ -,Ei) and {E t-^ Eq,-). 
The first 1— > - is a syntactic sugar for 3i,j. E 1— > and denotes heaps with cell E only. 
E -,Ei is an abbreviation for 3i.E 1— > i,Ei, and means heaps that contain only cell E 
and store E' in the second field of this unique cell E. The last E Eq,- is defined similarly. 

Assertions only depend on stack variables not identifiers x,y. Thus assertions are 
typed by a judgment Ah P : Assertion. The typing rules for this judgment are completely 
standard, and thus omitted from this paper. 



'We omit separating implication -* to simplify presentation. 
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3. Separation Logic 

Our version of separation logic is the first-order intuitionistic logic extended with Hoare 
triples and invariant extension. The formulas in the logic are called specifications, and they 
are defined by the following grammar: 

if ::= {P}M{Q} \ ip(S) P \ E = E \ M = M 

I if A if \ if y (p \ if ^ if \ \/x : T.(p I 3x: T.ip j \/i.tp \ 3i.ip 

The formula ip ® P means the extension of 93 by the invariant P. It can be viewed as a 
syntactic transformation of ip that inserts P*— into the pre and post conditions of all triples 
in ip. For instance, {{P}x{Q} => {P'}M{x){Q'})®Pq is equivalent to {P * Pq}x{Q * Pq} 
{P' * Po}M{x){Q' * Pq}. We write Specs for the set of all specifications. 

Specifications are typed by the judgment A | F h 93 : Specs, where we overloaded Specs 
to mean the type for specifications. 

The logic includes all the usual proof rules from first-order intuitionistic logic with 
equality, and a rule for fixed-point induction. In addition, it contains proof rules from 
separation logic, and higher-order frame rules, expressed in terms of rules for invariant 
introduction and distribution. Figure [3] shows some of these additional rules and a rule for 
fixed-point induction. In the figure, we often omit contexts A | F for specifications and also 
conditions about typing. 

The rules for Hoare triples are the standard proof rules of separation logic adapted 
to our language. Note that in the rule of consequence, we use the standard semantics of 
assertions P, P' ,Q,Q' , in order to express semantic implications between those assertions 
(of course, standard logical derivability A \ P \- P' and A \ Q' \- Q are sufficient conditions). 
The rules for invariant extension formalize higher-order frame rules, extending the idea in 
[8]. The generalized higher-order frame rule (p ^ ip(^ P adds an invariant P to specification 
ip, and the other rules distribute this added invariant all the way down to the triples. We 
just show one use of those rules that lead to the second-order frame rule: 

A I F,j;: com h {P}x{Q} =^ {P'}M{x){Q'} 
A I F,a;: com h {{P}x{Q} ^ {P'}M{x){Q'}) 
A I F, X : com h {P}x{Q} (g) Pp ^ {P'}M{x){Q'} Pp 
A I F,x: com h {P * Po}x{Q * Pq} ^ {P' * Po}M{x){Q' * Pq} 

The last rule is for fixed-point induction, and it relies on the restriction that a specification 
is of the form 7(fix M). The grammar for 7 guarantees that ■j{x) defines an admissible 
predicate for x, thus ensuring the soundness of fixed-point induction. Moreover, it also 
guarantees that j{x) holds when M means _L, so allowing us to omit a usual base case, 
"7(X)," from the rule. 

Note that the rules do not include the so-called conjunction rule: 

i{P}M{Q} A{P'}M{Q'}) {PAP'}M{QAQ'} 

The omission of this rule is crucial, since our parametricity interpretation does not validate 
the rule. We discuss the conjunction rule further in Section [TOj 

Example 3.1. Recall the counter example from the introduction and consider the following 
simple client 

let i=new in (i.O := 5; init(i); inc; read). 
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Proof Rules for Hoare Triples 



(Vz.{P}M{Q}) 
({P}M{Q} A {P'}M{Q'}) 

{P A E=F}M{Q} A {PA E^F}N{Q} 
{P}M{Po} A {Po}N{Q} 
{yi.{P*i^O,0}M{Q}) 
{\/i.{P*E^ i,Ei]M{Q]) 



{E 



> {3i. P}M{3i. Q} (where i ^ fv(M)) 

> {P V P'}M{Q V Q'} 

> {P}if {E=F) then M else N{Q} 

» {P}M;N{Q} 

» {P}let i=new in M{Q} (where i0v{P,Q)) 
» {3i.P*E^i,Ei}\eti=E.0mM{Q} 

(where i0fv(£;,Q)) 

{E ^ -}free(£;){emp} 
-,Ei}E.O := F{E ^ F,Ei} 



Mp ^ n and IQ% C |Q]p for all p g [A] 
A I r h {P'}M{Q'} {P}M{Q} 



Proof Rules for Invariant Extension — P 



^ ^ (^®P {P}M{P'}(g)Q ^ {P*Q}M{P' *Q} 

{E = F)®Q ^ E = F {M = N)^Q ^ {M = N) 

((y9 (g) P) (8) Q (p®{P*Q) {ip®i))®P <^ ((^ (8) P) e (t/) (8) P) 

(where G A, V}) 
{kx: T.(p) iS> P <^ Kx:T.(p0P {Ki.(p)®P ^ Ki.ip^P 

(where k G {V, 3}) (where k e {V, 3} and i fv(P)) 



Rule for Fixed-Point Induction 



C ::= [] I Ai.C|C^| Aa;: t.C \C M \i\xC \ C; M 7 ::= {P}C{g} | 7A7 | Vx: T.7|Vi.7 

(Vx. 7(x) =^ -f{M x)) =^ 7(fix M) 
where 7(A'') is a capture-avoiding insertion of A'' into the hole [— ] in 7. 

Figure 3: Sample Proof Rules 

whose body consists of inc; read. The client initializes the value of the counter to 5, increases 
the counter, and reads the value of the counter. 

In our logic, we can prove that the body of the client satisfies: 

A I r h ip {5 I— > -}inc; read{g ^ -} 

where A is a set of stack variables containing g and F, (p are defined by 

def def 

F = {inc : com, read : com}, (p = {emp}inc{emp} A{g -jreadj^ -}. 

Note that cell i, which is transferred to the counter by init(i), does not appear in any 
assertion of the specification for the client's body. This implies, correctly, that the client 
does not dereference the transferred cell i, after calling init(i). 
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The formal proof of the specification of the body uses the first-order frame rule, and it 
is given below: 

A I r h (/? ^ {emp}inc{emp} ^ 
A I r h 99 =^ ({emp}inc{emp} ® {g ^ -)) 
A \ r \- If ^ {emp * 5 I— > -}inc{emp * 5 1— > -} 

4 5 

A I r h ip ^ {g -}inc{5r 1-^-} A \ r \- ip => {g -}read{g -} 

6 

A\r\- (p^{g I— >■ -}inc; read{g 1— > -} 

The interesting parts of the proof are steps 2,3, where we use rules for invariant extensions, 
in order to add the frame axiom g ^ - into the pre and post conditions of a triple. Note 
that the addition of this frame axiom starts with a generalized frame rule (p ^ ip (S) P, and 
continues with the rule that moves P inside ip. The remaining steps 1,5,4,6 are instances 
of usual rules for first-order intuitionistic logic or Hoare logic, such as the elimination rule 
for conjunction and the rule of Consequence. □ 



4. Semantics of Programming Language 

Let Loc be a countably infinite set of locations. The programming language is inter- 
preted in the category of FM-cpos on Loc. 

We remind the reader of the basics of FM domain theory. Call a bijection tt on Loc a 
permutation when Tr{l) 7^ / only for finitely many I, and let perm be the set of all permu- 
tations. An FM-set is a pair of a set A and a function • of type perm x A ^ A, such that 
(1) \d ■ a = a and vr • (vr' • a) = (vr o vr') • a, and (2) every a £ A is supported by some finite 
subset L of Loc, i.e., 

Vvr € perm. (V/ G L. tt{1) = I) =^ vr • a = a. 

It is known that every element a in an FM-set A has a smallest set L that supports a. This 
smallest set is denoted supp(a). An FM function / from an FM-set A to an FM-set i? is a 
function from A to B such that /(vr • a) = vr • (/(a)) for all a, tt. 

An FM-poset is an FM-set A with a partial order C.on A such that a Qb ==^ vr-a C ir-b 
for all TT,a,b. We say that a (w-)chain {ajjj in FM-poset A is finitely supported iff there is 
a finite subset L of Loc that supports all elements in the chain. Finally, an FM-cpo is an 
FM-poset {A, C) for which every finitely-supported chain {ai}i has a least upper bound, 
and an FM continuous function / from an FM-cpo A to an FM-cpo B is an FM function 
from A to B that preserves the least upper bounds of all finitely supported chains. 

Types are interpreted as pointed FM-cpos, using the categorical structure of the cate- 
gory of FM-cpos, see Figure HI In the figure, we use the FM-cpo Val of references defined 
by: 

def 

Val = Loc + Lnt + {default} 

def 

where vr-f = if ^ Loc) then v else 7r{v) and default denotes a default value used for type- 
incorrect expressions, such as the addition of two locations. The only nonstandard part is 
the semantics of the command type com, which we define in the continuation passing style 
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Val 


def 


Loc + Int + {default} 





def 


{normal, err}± 


Heap 


def 


Loc ^fin Val X 


: Val 


Cont 


def 


Heap 


[val ^ r] 


def 


Val ^ Irl 




[t ^ r'l 


def 


M - ir'j 


[com] 


def 


Heap X Cont - 













def 






m 


def 





Figure 4: Interpretation of Types and Typing Contexts 



following [T91I4]: 

def def 

O = {normal, err}± (with vr • o = o) Heap = Loc ^f\n Val x Val 

def def 

Cont = {Heap O) |com] = {Heap x Cont O). 

Here B and A ^ B are cartesian product and exponential in the category of FM-cpos. 
And A ^fin B is the FM-cpo of the finite partial functions from A to B whose order and 
permutation action are defined below: 

def 

(1) f Q 9 '^=^ dom(/) = ^0^(5) and f{a) Q g{a) for all a e dom(/), 

(2) (vr • f){a) =^ if (a G vr(dom(/))) then (vr • ((/ o vr-i)(a))) else undefined. 

The first FM-cpo O specifies all possible observations, which are normal termination 
normal, erroneous termination err or divergence _L. The next FM-cpo Heap denotes the 
set of heaps. It formalizes that a heap contains only finitely many allocated cells and each 
cell in the heap has two fields. The third FM-cpo Cont represents the set of continuations 
that consume heaps. Finally, |com] is the set of cps-style commands. Those commands 
take a current heap h and a continuation k, and compute an observation in O (often by 
computing a final heap h' , and calling the given continuation k with h'). 

Note that Heap has the usual heap disjointness predicate h^h' , which denotes the 
disjointness of dom(/i) and dom(/i'), and the usual partial heap combining operator •, which 
takes the union of (the graphs of) two disjoint heaps. The # predicate and • operator fit well 
with FM domain theory, because they preserve all permutations: h^h' (vr • h)^{Tr ■ h') 

and TT ■ {h • h') = {tt ■ h) • {tt ■ h'). 

def 

The semantics of typing contexts A and F is given by cartesian products: |A] = 

def 

Hie A ^'^^ Fl ~ Tlx t^rM- '^^^ products here are taken over finite families, so they 
give well-defined FM-cposo We will use symbols p and ry to denote environments in [A] 
and |r], respectively. 

The semantics of expressions and terms is shown in Figures [5] and [6l It is standard, 
except for the case of allocation, where we make use of the underlying FM domain theory: 
The interpretation picks a location that is fresh with respect to currently known values 
(i.e., supp{h, rj, p)) as well as those that will be used by the continuation (i.e., supp(A;)). 
The cps-style interpretation gives us an explicit handle on which locations are used by the 
continuation, and the FM domain theory ensures that 5upp{h, r], p,k) is finite (so a new 
location I can be chosen) and that the choice of I does not matter, as long as / is not in 



'An infinite product of FM-cpos is not necessarily an FM-cpo. 
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lAhEj : [Al ^ Val 

lA,ihij, p(i) lAhOl, =^ 

[A h ^1 + E2jp =^ if ilEijp, l^alp G Int) then {{Eij, + [^slp) else default 
lAhEi- E2jp =^ if (li^ilp, Ii?2lp G /nt) then {{E^j, - [i^slp) else de/au/i 

Figure 5: Interpretation of Expressions 

[A|rhM:T] : [A] x pl ^ H 

[A I r, X : r h X : r]p,r) =^ r/(a;) 
[A I r h Ai. M : val ^ rjp,^ = Xv : Val. [A, i | P h M : r]p[,^„]^^ 
lA\ThME: r]p,^ ([A [ T h M: val ^ rj^,^) [^1^ 
lA [ r h Ax : r'. M : r' ^ r],,, Am : [t'I . [A | F, x : t' h Af : rlp,^[,,_„] 

[A I r h M iV: T]p,^ (lA I F h M: r' ^ rjp,^) [A | F h iV: t%,^ 
[A I F h fix M : rjp^ri =^ leastfix [A | F h M : r ^ r|p,^ 
[A|F h if (^=F) then M else iV: com]p,^ =^if I^lp=lFlp then |A|F h M: com|p,^ 



|A|F h M;iV: comlp,^(/i, fc) =^ let k' be Xh' . |A|F h A^: comjp^^{h' ,k) 
[A|Fhlet i=new in M : com]p,^(/i, /c) =^ [A, i | F h M : com} p^^^i^ ^^{h • [1^0,0], k) 
[A I F h free(^) : com]p,^(/i, A;) = if lEjp^dom{h) then err 



else |A|F h TV: comjp,^ 

let k' be A/i'. |A|Fh A^: 
in [A|FhM: com]p,^(/i, A;') 

mlp[i^i],,,(/i 

(where I G (Loc— supp(/i, p, r/, fc))) 
Lhen err 

else {k{h') for /i' s.t. h' • [I^lp-/i([^lp)] = /i) 



[A|Fhlet i=E.O in M: com]p,^(/i, /c) =^ if |S]p0dom(/i) then err 



else let {v,v') = /i([^]p; 

in |A,i|F h M: com|p[i^^]^^(/i, /c) 



[A I F h E.O := F : com|p,^(/i, fc) =^ if lEjp^dom{h) then err 



else (let {v,v') = hmp) in fc(/i[[i?lp^([Flp, ^;')])) 



Figure 6: Interpretation of Terms 

supp{h, r], p,k). (Formally, one shows by induction that the semantics is well-defined.) We 
borrowed this interpretation from Benton and Leperchey 

5. Relational Interpretation of Separation Logic 

We now present the main result of this paper, a relational interpretation of separation 
logic. In this interpretation, a specification means a relation on terms, rather than a set of 
terms "satisfying" the specification. This relational reading formalizes the intuitive claim 
that proof rules in separation logic ensure parametricity with respect to the heap. 
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Our interpretation has two important components that ensure parametricity. The first 
is a Kripke structure TZ. The possible worlds of TZ are finitely supported binary relations r on 
heapsy and the accessibility relation is the preorder defined by the separating conjunction 
for relations: 

def 

ho[r * s]hi ^ there exist splittings no • rriQ = /iq and ni • mi = hi such that 
no[r]ni and mo[s]mi, 

def 

r \Z r' <^4- there exists s such that r * s = r'. 

Intuitively, r C r' means that r' is a *-extension of r by some s. The Kripke structure TZ 
parameterizes our interpretation, and it guarantees that all the logical connectives behave 
parametrically wrt. relations between internal resource invariants. 

The second is semantic quadruples, which describe the relationship between two com- 
mands. We use the semantic quadruples to interpret Hoare triples relationally. Consider 
co,ci € |com] and r,s£TZ. For each subset Dq of an FM-cpo D, define eq(Z)o) to be the 
partial identity relation on D that equates only the elements in Dq. A semantic quadruple 
[r] (cq , ci ) [s] holds iff 

Vr' G 7^. V/iQ, hi G Heap.\/kQ, ki £ Cont. 

{ho[r * r']hi A ko[s * r' ^ eq{G)]ki) =^ {co{ho,ko)[eq{G)]ci{hi,ki)), 

where G is the set O — {err} = {normal, _L} of good observations, and where ko[s * r' — > 
eq(G')]A;i means that kQ, ki map heaps related in s * r' into the diagonal of G. The above 
condition indirectly expresses that if the input heaps ho, hi are r * r'-related, then the 
output heaps are related by s * r' . Note that the definition quantifies over relations r' for 
new heaps, thus implementing relational parametricity. In Section [TJ we show how semantic 
quadruples are related to a more direct way of relating two commands and we also show 
that the parametricity in the definition of semantic quadruples implies the locality condition 
in separation logic [TBJ . 

The semantics of the logic is defined by the satisfaction relation ^A|r between [A] x 
[rp X TZ and Specs, such that ^A|r satisfies Kripke monotonicity: 

{p,Vo,Vi,r \=A\r y?) A (r □ r') =^ (p, 770, r/i, / ^A|r f)- 

One way to understand the satisfaction relation is to assume two machines that execute 
the same set of terms. Each of these machines contains a chip that implements a module 
with a fixed set of operations. Intuitively, the {p,r]Q,rji,r) parameter of \= specifies the 
configurations of those machines: one machine uses {p, r/o) to bind free stack variables 
and identifiers of terms, and the other machine uses {p,rji) for the same purpose; and 
the internal resources of the built-in modules in those machines are related by r. The 
judgment (p, r/o, ?7i, r) |=A|r f means that if two machines are configured by {p,rjQ,rii,r), 
then the meanings of the terms in two machines are (/^-related. Note that we allow different 
environments for the T context only, not for the A context. This is because we are mainly 
concerned with parametricity with respect to the heap and only T entities, not A entities, 
depend on the heap. 

Figure [7] shows the detailed interpretation of specifications. In the figure, we make use 
of the standard semantics of assertions [18j . We now explain three cases in the definition of 

relation r is finitely supported iff there is L Cfj^ Loc s.t. for every permutation vr, if 7r(Z) = I for all 
I £ L, then Who,hi. ho[r]hi (tt ■ ho)[r]{n ■ hi) . 
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For all environments p € [A] and ?7o,??i € |r] and all worlds r G TZ, 

[eq([Plp) * ^](IM1p,,„, [Ml,,,J[eq([Ql,) * r] 

Mp = Mp 

[M],,,„ = [iVl,,,„ and [Ml,,,, = {N^, 

for all s G TZ, if {p, 7]o,f]i,r * s) \= if, 
then (p,r?o,??i,r * s) |= i/j 

for all V G Va/, {p[i^v],rjo,r]i,r) j= <^ 

there exists v G Va/ s.t. r/o, ?7i, r) |= ip 

for all m,n E |t], (p, 770 [a;->m] , r/i [a;-»n] , r) |= 

there exist m,n E |t] s.t. (p, r/o [ic^m] , 771 [a;->n] , r) \= ip 

{p,Vo,Vi,r) \= ip and (p, r/c ??i, r) ^ V 

{p,Vo,Vi,r) \=ipoT {p,rio,Vi,r) \= 

Figure 7: Relational Interpretation of Separation Logic 

The first case is implication. Our interpretation of implication exploits the specific 
notion of accessibility in TZ. It is equivalent to the standard Kripke semantics of implication: 

for all r' G TZ, if r n. r' and {p,rio,rji,r') \= (p, then (p, r/o, 771, r') |= ip, 

because r Q r' iS r' = r * s for some s. 

The second case is quantification. If a stack variable i is quantified, we consider one 
semantic value, but if an identifier x is quantified, we consider two semantic values. This 
is again to reflect that in our relational interpretation, we are mainly concerned with heap- 
dependent entities. Thus, we only read quantifiers for heap-dependent entities x relationally. 

The last case is invariant extension p ® P. Mathematically, it says that if we extend 
the r parameter by the partial equality for predicate P, specification ip holds. Intuitively, 
this means that some heap cells not appearing in a specification p satisfy the invariant P. 

A specification A | F h is valid iff (p, r]o,r]i,r) \= tp holds for all (p, r/o, 771, r). A proof 
rule is sound when it is a valid axiom or an inference rule that concludes a valid specification 
from valid premises. 

Lemma 5.1. The axioms for (8) are sound. 

Proof. All the axioms for (g) have the form ip ^ i/j or (p <^ i/j. When proving those axioms, 
we use the fact that ip ^ i/j is valid if and only if (p, 770, 771, r) \= p implies (p, r/o, 771, r) \= ip 
for all (p,?7o,?7i,r). 

First, consider the generalized frame rule p ^ (p ® P. Suppose that (p, 7/0, 7?i, r) \= p). 
Then, by Kripke monotonicity, (p, r?o, r?i, r * eq(|P]p)) |= p>. Thus, (p, 770, 771, r) \=p>®P. 





1= {P}M{Q} 






\=p(^P 


dg^ 




^ E = F 


dg^ 


(p,?7o,7/i,r) 


^ M = N 


dg^ 


{p,m,m,r) 


\=p^t/; 




(p,r7o,7?i,r) 


\= \/i. p> 


def 


{p,r)o,Vi,r) 


1= 3i.p) 


def 


{p,vo,m,r) 


1= Vx : T. (p 


def 


{p,vo,m,r) 


1= 3a; : T. (p 


def 


{p,vo,m,r) 


1= (p A 


def 


{p,vo,m,r) 


^ (p Vt/; 


def 
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Second, consider the distribution rule for triples. We prove the validity of this rule as 
follows: 

(p,77o,r/i,r) ^{P}M{Q}®Po 
^ {p,rio,r]i,r* eq(|Polp)) N {P}M{Q} (by the semantics of 0P). 
^ [eq([Plp) * eq([Polp) * r-]([M],,,„, lMlp,^J[eq([Ql,) * eq([Polp) * r] 
^ [eq([P * Pol,) * r](lAflp,^„, [M]p,,J[eq([Q * Pojp) * r] 

{p, r]Q,r]i,r) \= {P * Pq}M{Q * Pq} (by the semantics of triples). 

The second equivalence is by the semantics of triples, and the third equivalence holds 
because eq maps * for predicates to * for relations. 

Third, we prove the soundness of the distribution rules for equality. Note that the 
semantics oi E = F and M = is independent of the heap relation r in (p, r]Q,rji,r). Thus, 
once we fix the p, 7?0)'^i components, either E = F and M = N hold for all r, or E = F 
and AI = N hold for no r. Let 93 be -E = P or M = A^. From the property of that we 
have just pointed out, it follows that 

{p,Vo,Vi,r) \= (f {p,rjo,'ni,r *eq{lPjp)) \= If {p,rjo,'ni,r) \= P. 

Finally, consider all the remaining rules, which are distribution rules for logical connec- 
tives. All cases can be proved mostly by unrolling and rolling the definition of \=. Here we 
explain two cases. The first case is the distribution rule for existential quantification of i. 
We prove that this rule is sound below: 

{p,rjo,r]i,r) \=3i.ip®P 
<^=^ there exists v S val s.t. {p[i^v],r]o,r]i,r) ^ 99 (g) P 
<:=^ there exists v € val s.t. {p[i^v],r]o,rji,r * eq(|P]p[j^^])) \= 99 
<^=^ there exists v E val s.t. {p[i'^v],r]Q,r]i,r * eq([[P]p)) \= (p (since i fv(P)) 

(/9,r?o,r?i,r *eq([Plp)) ^ 3f: 5.99 

{p^m^m^r)^ {"^i: 5.Lp) ® P. 

All the equivalences except the third follow by rolling/unrolling the definition of |=. The 
next case is the rule for implication, which we prove sound as follows: 

{p,Vo,Vi,r) \= {if ^ ij) (g> P 

{p,r]o,Vi,r*eq{lPjp))h^^^ 
^=> Vs. f(p,r?o,r/i,r *eq(|P]p) *s) h V?) =^ {{p,Vo,m,r * eqdPjp) * s) ^ ip) 

ys. {{p,r]o,r]i,r * s) \= ip^ P) =^ {{p,r]o,r]i,r * s) \= 4^ ® P) 
^ {p,T]o,m,r)^(.^^P)^(.'p(^P)- 
Again, all the equivalences are obtained by rolling/unrolling the definition of [=. □ 

Theorem 5.2. All the proof rules are sound. 

Proof. The interpretation of all the logical connectives is standard, so that the semantics 
validates all the usual rules from first-order intuitionistic logic with equality. Moreover, by 
Lemma l5.lt all the rules about (g are sound as well. Thus, it remains to show that the rules 
about Hoare triples and fixed point induction are sound. 

Note that most of the rules about triples and fixed point induction have the form 99 =^ ■0. 
When proving the soundness of those rules, we use the fact that 99 -0 is valid if and only 
if {p,r]o,rii,r) \= 99 implies ip,rio,rji,r) \= tp for all {p,r]o,r]i,r). 

The first case is the rule for memory allocation: 

(Vi.{P*i ^ 0,0}M{Q}) {P}let i=new in M{Q}. 
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Consider (p, r/o, ?7i, r) satisfying the assumption of the above axiom. We need to prove that 
{p,r]Q,rji,r) also satisfies the conclusion, i.e., 

[eqilPjp) * r](|let i=new in M]p,^„, [let i=new in Af]p,^J[eq([gip) * r]. 

Choose arbitrary ho, hi € Heap, kQ,ki G Cont, and s & TZ such that 

/io[eq(|P]p) * r * and ko[{eq{lQ}p) * r * s) ^ eq{G)]ki. 

Pick I G Loc — 5upp{ho,hi, p,r]Q,rji,kQ,ki). Then, the FM domain theory ensures that for 
j = 0,l, 

Ileti=new in M|p,^^. (/i,-, fc,-) = {Mjp^i^i^^^^ihj • [1^0,0], kj). (5.1) 

Let p' be p[i^l], and let h'j be hj»[l-^0, 0]. We prove the required relationship for let i=new in M 
as follows: 

holeqilPjp) *r*s]hi A ko[{eq{lQjp) * r * s) ^ eq{G)]ki 
=^ ho eq{lPjp,)*r*s]hi A fco [(eq([QV) * r * s) ^ eq(G)] fci 
^ h'o[eq{lP*i^O,0}p,)*r*s]h[ A fco [(eqdQlp,) * r * ^ eq(G)] fci 
^ Mp',,o(^o, ^o) [eq(G)] [Ml , ^^(/ii, fci) 
^ [letz=new in M]p,^o (/iq, /cq) [eq(G)] |let i=new in M]p,^i (/ii, 

The first implication holds, because p and p' are different only for i but i fv{P,Q). The 
second implication follows from the definition of h'j, and the third implication from the 
assumption that (p, r/o, ^71, r) |= Vi. {P * i 1-^ 0, 0}M{(5}. Finally, the last implication holds, 
because of the equation 15.11 

The second case is the axiom for lookup 

{"ii.iP * E ^ i,Ei}M{Q}) =^ {3i.P * E ^ i,Ei}\eti=E.O\n M{Q}. 

Consider (p, 'i]o,r]i,r) that satisfies {\/i.{P * E ^ i, Ei}M{Q}), and pick arbitrary ho, hi G 
Heap, ko,ki G Cont and s & TZ such that 

ho[eq{l3i.P*E ^i,Eijp)*r*s]hi A ko[eq{lQjp) * r * s ^ eq{G)]ki. 

Let I be {Ejp (which is well-defined since i fv{E)). By the first conjunct above, I is in 
dom(/io) n dom(/ii), and there exist v and p' such that 

i;=projo(/io(0)=Pi'ojo(^i(0)> p'=/o[«^^^], and ho[eq{lP * E ^ i, Eijp') * r * s]hi. 

Here projo is the projection of the first component of pairs. The two equalities above about 
V and p' imply that for j = 0,1, 

[let i=E.O in Mjp^^^ihj, kj) = [Mlp,,^^, (/i,-, (5.2) 

We derive the desired relationship about let i=E.O in M as follows: 

'eq{lQjp)*r*s^eq{G)]ki A ho[eq{lP * E ^ i, Eijp>) * r * s]hi 
'eq{lQjp>)*r*s^ eq{G)]ki A ho[eq{lP * E ^ i, Eijp>) * r * s]hi 
=^ WlpWoiho, ko) [eq{G)] [Afjp,,,, (/ii, ki) 

=^ [let i=E.O in M]p,^„(/io, ^o) [eq(G')] [let i=E.O in Aflp,^, (/ii, A;i). 

The first implication holds because i fv((5), the second follows from the fact that {p, rjo, r]i,r) 
satisfies the assumption of this axiom, and the last implication follows from the equation 

The third case is the axiom 1-^ -}free(£'){emp}. Choose arbitrary {p,rjo,'i]i,r), 
ho, hi G Heap, ko,ki G Gont, and s G TZ, such that 

ho[eq{lE ^ -}p) * r * s]hi A /cq [eq([emp]p) * r * s ^ eq(G')] fci. 



ko 
ko 
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By the first conjunct above, there are sphttings mo • no = ho and mi • ni = hi such 
that mo[eq(|S i-^ -Dlm-i and no[r * s]ni. Note that the relationship between mo and mi 
imphes that lfree{E)lpjf.{hj,kj) = kj{nj) for j = 0,1. Thus, it is sufficient to show that 
ko{no)[eq{G)]ki{ni). Note that no and ni are already related by r * s, and ko and ki by 
eq([emp]p) * r * s — > eq(G). The conclusion follows from these two relationships, because 
eq([emp]p) *r*s = r*s. 

The fourth case is the axiom {E Ei}E.O := F{E F, Ei}. Choose arbitrary 
(p, r/o, t), ho, hi £ Heap, ko,ki G Cont, and s £ TZ, such that 

ho[eq{lE^-,Eijp)*r*s]hi A ko[eq{lE ^ F, Eijp) * r * s ^ eq{G)]ki. 

Because of the first conjunct, there are splittings mo • no = ho and mi •ni = hi such that 
mo[eq(|£' i— >• -,Ei}p)]mi and no[r * s]ni. Let m' be the heap [I-E]p-»([F]p, |£?ilp)]. Then, 
we have the following two facts: 

(1) (m' • no) [eqdi? F, Eijp) * r * s] {m' • ni), and 

(2) for ah i = 0, 1, {E.Q := F}p,^^{hj,kj) = kj{m' • n,). 

By the first fact, ko{m' • no)[eq(G)]fci(m' • ni). Now, the second fact gives the required 

{E.Q :=Flp,^„(/io,feo)[eq(G)] [i^.O := F\p^^,{hiM)- 

The fifth case is the rule of Consequence. Suppose that [-Pip C \P'\p and [Q'Jp C |Q]p, 
and {p,r]o,T]i,r) \= {P'}M{Q'}. Consider ho, hi £ Heap, ko,ki G Cont, and s £ TZ, such 
that 

hoieqilPjp) * r * s]hi A A:o[eq(IQlp) * r * s ^ eq(G')]A;i. 
Since eq is monotone and * preserves the subset order for relations, 

eq(|P]p) *r * s C eq(|P']p) *r * s, and 
[eq([Qlp)*r*s-.eq(G)] C [eq([Q'y * r * s ^ eq(G)]. 

Thus, /io[eq([P']p) * r * s]hi and feo[eq(|Q']p) * r * s —>■ eq{G)]ki. These two relation- 
ships imply the required |M]p,^(,(/io, A;o) [eq(G')] |M]p,^^ (/ii, fci), because {p,r}o,r}i,r) satis- 
fies {P']M{Q']. 

The sixth case is the rule for introducing existential quantification for assertions: 

(Vi.{P}M{Q}) ^ {3iP}M{3i.g}. 

Consider (p, rjo, r]i,r) that satisfies \/i.{P}M{Q}. We should show that (p, ?7o, ?yi, r) satisfies 
{3i.P}M{3i.Q}, i.e., 

[eq(plPlp) * r]([Mlp,^„, [Mlp,,J[eq(p.Qlp) * r]. 

Pick arbitrary ho, hi G Heap, ko,ki G Coni, and s £TZ such that 

/io[eq(pi.P]p) *r *s]/ti and A;o[(eq(piQ]p) * r * s) ^ eq(G)]A;i. 

By the definition of eq, pi.P] and pz.Q], these two conjuncts imply the existence of v and 
p' such that 

p' = p[i^v], /io[eq([P]p/) * r * s]/ii, and A;o[(eq(|Q]p/) * r * s) ^ eq(G)]A;i. 

From what we have just shown, we derive the conclusion as follows: 

(/io[eq(lPlpO*r*.s]/ii) A {ko[{eq{lQjp,) * r * s) ^ eq{G)]ki) 
=^ [M]p,,,,(/io,feo)[eq(G')][Mlp,,,,(/ii,A;i) (since (p, ryi, r) H Vz.{P}M{Q}) 
=^ mp,r„{ho,ko)[eqiG)]lMjp,r„{hi,ki) (since i ^ fv(M)). 
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The seventh case is the disjunction rule. Suppose that (/), r/o, ryi, r) satisfies triples 
{P}M{Q} and {P'}M{Q'}. Consider ho, hi G Heap, s e TZ, and ko, ki G Cont, such that 

/io[eq([PVP'lp)*r*s]/ii A A;o [eq(IQ V Q'lp) * r * s ^ eq(G)] fei. 

By the definition of eq([P V P'\p), heaps /iq and hi are related by eq(|P]p) * r * s or 
eq([P']p) * r * s. Without loss of generality, we assume that 

/io[eq(lPlp)*r*s]/ii. (5.3) 

Since eq is monotone and * preserves the subset order for relations, relation eq([(5 V Q'\p) * 
r * s ^ eq(G) is a subset of eq([(5]p) *r * s ^ eq(G'), and so, 

A:o[eq([Qlp)*r*s^eq(G)]A:i. (5.4) 

By the supposition, {p,rjQ,r]i,r) satisfies {P}M{Q}. Thus, the relationships 15.31 and 15.41 
imply the required 

[Mlp,^„(/io, ko) [eq(G)] [M]p,^, ihi,ki). 
The eighth case is the rule for conditional statement. Suppose that {p, r) satisfies 

{P AE = F}M{Q} and {P A E ^ F}N{Q}. Consider ho, hi G Heap, s £ TZ, and ko, ki G 
Cont, such that 

/io[eq([Plp) *r *s]/ii A ko[eqilQjp) * r * s ^ eq{G)]ki. 

We do the case analysis depending on whether {Ejp = [P]p. Suppose that {Ejp = [P]p. In 
this case, ho [eq(|P A = P]p) *r * s]hi, and 

l;\f {E=F) then M else Njp^r,,{hj, kj) = lMjp^r,,{hj,kj) for all j = 0,1. (5.5) 

Using these facts, we derive the conclusion as follows: 

ho[eqilP A E = Fjp) * r * s]hi A /cq [eq(IQlp) * r * s ^ eq(G)] fci 
=^ iMlp,^,, iho,ko) [eq ( G)] [M]p,,, ihi,ki) 

=^ Jif {E=F) then M else iV|p,^o (/lo, ko) [eq ( G)] |if iE=F) then M else iVlp,^i {hi ,ki). 

The first implication follows from our assumption that {P A E = F}M{Q} is satisfied by 
{p, rjo, rji,r), and the second follows from the equation l5.5l above. The other case \E'\p / [P]p 
can be proved similarly, so it is omitted here. 

The ninth case is the rule for sequential composition. Suppose that {p, rjo,r]i,r) satisfies 
{P}M{Po} and {Po}N {Q}. Consider ho, hi G Heap, s (z TZ, and ko,ki G Cont, such that 

ho[eqilPjp) * r * s]hi A /cq [eq([Q]p) * r * s ^ eq(G)] A;i. 

Let k'^ be Xh'^.lN}p,r,,{h'j,kj). Since {p,Vo,Vi,r) N {Po}N{Q}, 

k'o = A/i[,.|Ar]p,,„(/i^), A;o)[eq([Polp) *r*s^ eq{G)]\h'i.[N\p^^,{h'i,ki) = k'l. 

Since {p,rjo,rji,r) \= {P}M{Qo}, the above relationship between k'^ and k'^ implies 

lM}p^r,,{ho,k'o)[eq{G)]lM}p^^,{hi,k'i). 

This gives the conclusion, because \M;N\p^rij{hj,kj) is equal to \M\p.,^.{hj,k'-), for all 

i = o,i. 

The last case is the rule for fixed point induction. We note two properties of C and 7. 

(1) For all p,r], if 7?(x) = _L, then [C(x)]p,^ = ±. 

(2) For all [p,r]o,rji,r), the following set is admissible: 

{(mo, mi) I {p,7]o[x^rno],rii[x~>mi],r) ^7(3;)}. 
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These properties can be proved by a straightforward induction on the structure of C and 
7. The soundness of the induction rule follows from the second property. □ 

6. A General Construction 

Our Kripke semantics of specifications presented in the previous section is in fact an 
instance of a general, abstract construction that allows one to interpret a specification logic 
with higher-order frame rules. In this section, we describe the general construction. The 
remaining part of the paper can be read and understood without reading this section, in 
which we assume some basic knowledge of categorical logic (see, e.g., |5j for a quick recap). 

Before explaining our construction, we remind the reader of FM-cousins of monoid, 
preorder, Heyting algebra and complete Heyting algebra. For FM-sets A, B, C, we call an 
element ao € ^1, a function f : A x B ^ C or a relation r Q A x B equivariant when they 
preserve the permutation action in the following sense: for all a £ A, b ^ B and vr € perm, 

(vr • ao = ao) A (vr • (/(a, &)) = /(vr • a, tt • 6)) A ((a, &)Er <J=^ (vr • a, vr • 6) G r). 

An FM-monoid is an FM-set M with monoid operations (/ G M, * : M x M ^ M) 
such that / and * are equivariant, and an FM-preorder is an FM-set A with an equivariant 
preorder C on A. An FM-Heyting algebra is an FM-poset {A, C) with operations 

_L,TgA, and U,U,=>: A x A ^ A, 

such that all of those operations are equivariant and (y4,C,_L,T,U,n) forms a Heyting alge- 
bra. Finally, an FM-complete Heyting algebra is an FM-Heyting algebra {A, C, _L, T, U, 
=^) such that every finitely supported subset of A has a least upper bound and a greatest 
lower bound. 

Our construction starts with an FM-monoid (M, /, *) in which * is commutative. The 
FM-monoid (M, /, *) generalizes the set of finitely supported binary relations r on heaps, 
where the monoid unit / is the singleton relation ([],[]) of two empty heaps and the monoid 
operator * is the separating conjunction for relations. Intuitively, each m in M represents 
information about the internal resource invariants of modules, and the * operator of M is 
used to combine two pieces of information that describe disjoint resources. Throughout this 
section, we assume given a fixed FM-monoid (M, I, *) with * commutative, and describe a 
construction over this FM-monoid. 

First, we define a preorder C for M: 

m^n <^=^ 3m'. m * m' = n. 

Intuitively, m Q n means that n is an extension of m with information about additional 
disjoint resources. 

Lemma 6.1. (M, C) is an FM-preorder. 

It is well known that Kripke models of intuitionistic propositional logic are obtained by 
taking the upwards closed subsets of a preorder and that the upwards closed subsets form 
a complete Heyting algebra. Thus, our next step is to form such a model over M, but in 
the world of FM-sets. Hence we construct an FM-complete Heyting algebra L{M) whose 
underlying set L consists of finitely supported upwards closed subsets of M, and which is 
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ordered by subset inclusion, denoted ^l- The Heyting operations for L are defined in the 
standard way: when Mq,Mi G L(M), 

± T M 

def def 

Mq U Ml = Mo U Ml Mo n Ml = Mo n Mi 

Mo Ml =^ {m I Vm'. (m □ m' A m' G Mq) ^ m' £ Mi}. 

Lemma 6.2. {L(M), Ql, _L, T, U, =^) is an FM-complete Heyting algebra. 

The lattice L{M) has two interesting properties, which we used in our semantics of 
separation logic. The first property is that the =^ operator involves quantification over 
information about disjoint resources: 

Lemma 6.3. An element m belongs to Mq ^ Mi if and only if 

Vm'. m* m' £ Mq =^ m* m! £ Mi. 

The second property is about the operator that frames in information about disjoint 
resources. We define a binary operator — — : L(M) x M ^ L{M) by 

Mo ®m {m' I m' * m G Mo}. 

Lemma 6.4. The function — ^ — is well-defined, and it satisfies the following three prop- 
erties: 

(1) — ® m commutes with ^ and all the existing least upper hounds or greatest lower 
bounds of subsets ofL{M). 

(2) (Mo (g) m) (g) m' = Mq (g) (m * m') for all Mq G L(M) and m, m' G M. 

(3) Mq is a subset of Mq (g m, for every Mq G L{M). 

In our semantics of separation logic, we used this gi operator to interpret invariant ex- 
tension (fSiP, and designed its proof rules, based on the general properties of (g summarized 
in the above lemma. 

Finally, we construct a hyperdoctrine FMSet(— , L(M)), which can be used to interpret 
the specification logic, including quantifiers and invariant extensions (i.e., (/? g) P). 

Lemma 6.5. FMSet(— , L(M)) satisfies all the axioms for hyperdoctrines, thereby allowing 
the interpretation of intuitionistic predicate logic. 

For each m G M, consider the fibred endo-functor 

FMSet(-,- (gm) : FMSet(-, L(M)) ^ FMSet(-, L(M)), 

which maps a predicate over X, that is, an equivariant function 99 from X to L{M), to 
(— (g m) o (p. 

Lemma 6.6. The fibred functor V\\ASet{— , — ® m) |3reser?;es _L, T, U, =^ in each fibre and 
commutes with quantifiers 3 and V. 

In summary, the previous two lemmas provide alternative proofs to large parts of 
Lemma 15.11 and Theorem 15.21 In the proof of the latter theorem in the previous section we 
omitted the detailed proof of soundness of the rules for predicate logic; it is a consequence 
of the above Lemma [6. 5 i Finally, we remark that the general construction actually gives us 
more than we use in the previous section: First, since we have a hyperdoctrine, we in fact 
have a model of higher-order specification logic in which one can also model quantification 
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over specifications. Second, L{M) is in fact not only an FM-complete Heyting algebra but 
an FM-complete BI algebra. This means that we can have * and connectives also for 
specifications. We have not yet made use of these additional facts. 

7. Properties of Semantic Quadruples 

In this section, we prove two properties of semantic quadruples. The first clarifies the 
connection between our new interpretation of Hoare triples and the standard interpretation, 
and the second shows how our cps-style semantic quadruples are related to a more direct 
way of relating two commands. 

First, we consider the relation between semantic quadruples and Hoare triples. Define 
an operator cps that cps-transforms a state transformer semantically: 

cps : (Heap — > [Heap + {err})±) — > (Heap x Cont — > O) 

cps(c) =^ X{h, k). if (c(/i) {_L, err}) then k{c{h)) else c{h). 

Proposition 7.1. For all p,q ^ Heap and all c € Heap (Heap + {err})±, the quadruple 
[eq(p)](cps(c), cps(c))[eq(g)] holds iff the two conditions below hold: 

(1) for every h in p, either c{h) = ± or c{h) S q, hence c{h) cannot be err; 

(2) for every h in p and hi such that h^hi, 

(a) if c{h) = _L, then c{h • hi) = _L, 

(b) if c{h) 7^ _L, then c{h) • hi is defined and equal to c{h •hi). 

Note that the first condition is the usual meaning of Hoare triples, and the second is 
the locality condition of commands in separation logic restricted to heaps in p [18]. Since 
the locality condition merely expresses the parametricity of commands with respect to new 
heaps, the proposition indicates that our interpretation of triples is the usual one enhanced 
by an additional parametricity requirement. 

Proof of Proposition \ 7. l\ (=^) Pick an arbitrary heap h in p. Let k be the continuation 
defined by 

k{h) = if (/i S q) then _L else err. 
Then, k[eq{q) —> eq{G)]k and h[ec\{p)]h. By the assumption on the validity of the quadruple, 
cps(c) (/i, k) [eq ( G')]cps(c) (/i, k) . By the definition of k, this relationship on cps(c) implies that 
cps(c)(/i, k) = _L, which in turn gives 

{c{h) = _L) V (c(/i) G Heap A k{c{h)) = _L). 

The second disjunct of this disjunction is equivalent to c{h) G q because k[h') = _L <^=^ 
h' G q. So, the disjunction gives the first condition. 

For the second condition, consider /i, hi such that h ^ p and h^hi. Let r be the relation 
on heaps, and define three continuations k(),ki,k2 as follows: 

kolh') normal, 

def 

ki{h') = if {h' = c{h)) then normal else _L, 

def 

k2{h') = if (c(/i) G Heap A h' = c{h) • hi) then normal else _L. 
By the definition of r and ki, we have that 

h[eq{p) * r]{h • hi) , ko[eq{q) * r ^ eq{G)]ko, and A;i[eq(q') * r ^ eq(G)]fe2. 
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To see why the third relationship holds, note that if hi[eq{q) * r]h'2, then h'l • hi is defined 
and h'2 = h'^ •hi. Thus, h'^ = c{h) holds precisely when c{h) E Heap A h'2 = c{h) •hi holds. 
This implies that ki{h'^) = normal iff A;2(/i2) = normal. Now, by the assumption on the 
validity of the quadruple, we have that 

cps(c)(/i, A;o)[eq(G')]cps(c)(/i • hi,ko) and cps(c)(/i, A;i)[eq(G')]cps(c)(/i • hi, ^2). 

The first conjunct about ko implies that if c{h) = _L, then c{h • hi) = _L, and the second 
conjunct about ki, k2 implies that if c{h) 7^ ±, then c{h • hi) = c{h) • hi. 

(<^=) Consider a relation r on heaps and pick heaps hi, /12 and continuations ki, k2 such 

that 

/ii [eq (p) * r] /i2 and A;i[eq((7) * r ^ eq(G')]/^:2• 
Then, there exist two splittings h'^ • h" = hi and /ig • /12 ~ ^2 such that h'^ = /ig G p and 
^1 H^2- = _L, then c{h[) = _L by the condition (2-b) of the assumption, and c(/i2) = 

_L by the condition (2-a) of the assumption. Thus, in this case, we have cps(c)(/ii, /ci) = 
cps(c)(/i2, A;2) = -L and cps(c)(/ii, A;i)[eq(G')]cps(c)(/i2, ^2), as desired. Otherwise, i.e., if 
c{hi) 7^ _L, then c{h'i) 7^ ± by the condition (2-a). Thus, by the condition (2-b), we have 
that c(/ii) = c{h[) • h'l and c(/i2) = c(/i'^) • /i2- Since c(/i'|) G (/ by the condition (1), 

c{hi) = c{h[) • h'l[eq{q) * r]c{h[) • h'^ = c(/i2). 

This implies cps(c)(/ii, /ci)[eq(G')]cps(c)(/i2, ^2), as desired. □ 

Next, we relate our cps-style notion of semantic quadruples to the direct-style alterna- 
tive. The notion underlying this relationship is the observation closure, denoted (— )^. For 
each FM-cpo D and relation r C x D, we define two relations, on [D — > O] and 
on D, as follows: 

ki[r^]k2 44 ydi,d2eD.{di[r]d2 ^ ki{di)[eq{G)]k2{d2)), 
di[r^]d2 yki,k2 e[D^ O]. {ki[r^]k2 =^ ki{di)[eq{G)]k2id2)). 

Operator (—)"'" dualizes a relation on D to one on observations on D, and (— )"'^ closes a 
given relation r under observations. 

Proposition 7.2. Let r, s be relations in TZ. Consider functions ci, C2 from Heap to {Heap + 
{err})^. A quadruple [r](cps(ci), cps(c2))[s] holds, iff 

V(r', hi, h2). hi[r * r']h2 =^ {ci{hi)=C2{h2)=± V Ci{hi)[{s * r')^]c2(/i2)). 

This proposition shows that our semantic quadruples are close to what one might expect 
at first for relating two commands parametrically. The only difference is that our quadruple 
always closes the post-relation s * r' under observations. 

Proof of Proposition \ 7. 2[ (=^) Consider r', hi, /i2 such that hi[r * r']/i2. We first show that 

Ci(/li) = _L <^=^> C2{h2) = ±. 

Let k be the continuation Xh' .normal. Then, k[s * r' — > eq(G')]A;. By the assumption on the 
quadruple for cps(ci), cps(c2), we have that 

cps(ci)(/ii, A;)[eq(G')]cps(c2)(/i2, k). 

This relationship implies that ci(/ii) = X -4=^ C2(/i2) = -L, because Cj(/ij) = 1. <^=^ 
cps(cj)(/ii. A;) = _L by the choice of k. 
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Next, we prove that if ci(/ii) / ± or C2(/i2) ^, then ci(/ii)[(s * r')-'^]c2(/i2)- By what 
we have just shown, c\{h\) 7^ _L iff C2(/i2) 7^ -L- We will assume that neither c\(h\) nor 
C2(/i2) is -L. Take two continuations /ci, /c2 such that A:i[(s*r')-'-]/c2, i.e., /ci[s*r' ^ eq(G')]/c2. 
Since the quadruple [r](cps(ci), cps(c2))[s] holds by assumption and h\\r * r']/i2, we have 
that 

cps(ci ) (/ii , kx ) [eq ( G')]cps(c2) (/i2 , ^2) • 
Since both c\{h\) and C2(h'i) are different from _L, the relationship is equivalent to 

A:i(ci(/ii))[eq(G)]A;2(c2(/i2)). 

We have just shown that c\(h\)\[s * r')-'^]c2(/i2). 

(<^=) Pick an arbitrary relation r', heaps /ii, /12 and continuations /ci, A;2 such that h\\r * 
r']/i2 and k\\s * r' — > eq(G')]A;2 (i.e., k\\{^s * r')^]A:2.) By the assumption of this if direction, 
either c\(h\) = C2(/i2) = -L or ci(/ii)[(s * r')-'^]c2(/i2). In the first case, 

cps(ci)(/ii,fci) = ± [eq(G')] _L = cps(c2)(/i2, ^2), 

and in the second case, both ci(/ii) and 02(1^2) are in Heap, so that 

cps(ci)(/ii, fci) = ki{ci{hi)) [eq{G)] A:2(c2(/i2)) = cps(c2)(/i2, ^2)- 

The conclusion follows from these two relationships. □ 



8. Abstraction Theorem 

The abstraction theorem below formalizes that well-specified programs (specified in sep- 
aration logic with implicit quantification over internal resource invariants by frame rules) 
behave relationally parametrically in internal resource invariants. The easiest way to un- 
derstand this intuition may be from the corollary following the theorem. 

Some readers might feel that it is too much to call the abstraction theorem a "theorem" 
since it really is a trivial corollary of the soundness theorem — but that is just as it should 
be: the semantics was defined to achieve that. 

Theorem 8.1 (Abstraction Theorem). // A | F H ip is provable in the logic, then for all 
{p,r]o,r]i,r) G |A] x {Tf x TZ, we have that (p, r/o, r) \= ip. 

Proof. By Theorem 15.21 we get that A | F h 99 is valid, which is just what the conclusion 
expresses. □ 

Corollary 8.2. Suppose that A | x: com h {Pi}x{Qi} ^ {P}M{Q} is provable in the 
logic. Then for all {p,co,ci,r), if [eq(|Pi]p) * r](co, ci)[eq(|Qi]p) * r] holds, then 

[eq([Plp) * r](lMl[,^,„], lMl[,^,^])[eq([Ql,) * r] 

holds as well. 

Intuitively, x corresponds to a module with a single operation, and M a client of the 
module. This corollary says that if we prove a property of the client M, assuming only 
an abstract external specification {Pi}x{Qi} of the module, the client cannot tell apart 
two different implementations co,ci of the module, as long as co,ci have identical external 
behavior. The four instances of eq in the proposition formalize that the external behaviors of 
co,ci are identical and that the client M behaves the same externally regardless of whether 
it is used with cq or ci . The relation r is a simulation relation for internal resource invariants 
of Co and ci. 
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Vj. {3i. c I— > i, - * i 1-^ -, j} inco {3i. c i— > i, - * i i-^ -, (j+1)} 
Vj. {3i. c>-^i,-*i>-^-,j*g>-^ -}reado{3i. c>-^i,-*i>-^-,j*g>-^-,j} 

inco = let i=c.O in (let j=i.l in i.l := j+1) 
reado = let i=c.O in (let ^=11 in (7.I := j) 

Vj. {3i. c I— > i,- * i I— > -, j} inci {3i. c 1-^ z, - * « 1— > -, (j— 1)} 
Vj. {3i. CI— >-,j*gi-^ -}readi{3i. c i, - * i j * g -, (— j)} 

inci = let i=c.O in (let j=i.l in i.l := j— 1) 
readi = let i=c.O in (let ^=11 in g.l := — j) 

A I r h ({emp}inc{emp} A {5 1-^ -}read{(7 1-^ -}) =^ {51 1-^ -}inc; read{(7 1-^ -} 

(where A = {g, c} and T = {inc: com, read : com}) 



Figure 8: Two Implementations of a Counter and a Simple Client 



Proof of Corollarv \8.SX Define environments r/Oi'^i and heap sets p,Pi,q,qi as follows: 

r/o = [x^co], r/i = [x^ci], and {pi,qi,p,q) = {{Pijp, {Qijp, {Pjp, IQjp)- 

By Theorem 18.11 we have, for any r, that (/), ?7o, r/i, r) ^ ^ {PjA/jQ}. From 

this, we derive the conclusion of the proposition: 

{p,Vo,Vur) h {PiMQi} ^ {P}M{Q} 
=^ (Vs G7^. (/9,r/o,??i,r*s) ^ {Pi}x{Qi} =^ {p,r]o,m,r * s) ^ {P}M{Q}) 
=^ {{p,Vo,Vi,r) h {PiMQi} =^ (p,%,r?i,r) ^ {^WQ}) 
^ ([eq(pi)*r](co,ci)[eq(5i)*r] =^ [eq{p) * r]{lM}^„lM%,)[eq{q) * r]). 

□ 



9. Examples 

Our first example is the two implementations of a counter in the introduction and the 
simple client (inc; read) in Example 13.11 We remind the reader of the implementations and 
the specification of the client in Figure [8] (here we use the formally correct and 1 for 
the fields named data and next in the introduction for readability). The figure also shows 
the concrete specifications of the implementations. Note that the concrete specifications 
describe that both implementations use an internal cell c.O to keep the value of the counter, 
and that the second implementation stores the negated value of the counter in this internal 
cell. 

Pick a location / G Loc and an environment p G [{c, 5}] with p{c) = I, and define 
fo,fi,9o,9i,bo, bi as follows: 

d d dcf 

fi = [incjp.o, gi = |readi]pj], bi = [inc; readl^^fine^j^^read^g^J- 
Now, by the Abstraction Theorem, we get that, for all r, 

([eq([emp]p) * r](/o, /i)[eq([emp]p) * r] A [eq([5- ^ -]p) * r]{go , gi)[eq{lg ^ -]p) * r]) 

=^ 

[eqds- ^ -Ip) * r]{bo, 6i)[eq(|5f ^ -jp) * r]. 

(9.1) 
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Vi, V. {i 1-^ -,v * k 1-^ -}puto(i){/c ^ -, v} 

Vj, V. {j ^-*k^-, v}getQ{j){j ^-,v*k^-,v} 

putg = \i. let V = i.l in (free(i); k.l := t>) 
getQ = \j. let ?; = /c.l in j.l := t; 

Vi,v. {i -,v * {3k'. k i— > A;',- * A;' i-^ -)}puti{i){Bk' . k ^ k',- * /c' i— > -,v} 

Vj, {i 1-^ - * (3/c'. k k',- * k' -,v)}geti{j){j i-^ -,v * (3k'. k^ k' ,-*k' ^ -^v)} 

puti = \i. let k'=k.^ in (free(A;'); A;.0:=i) 
get^ = Xj. let k'=k.O in let v=k'.l in j.l:=z; 

A|r h (Vi.{i^-}put(i){emp})A(Vj.{i^-}get(j){j^-}) ^ {i ^ "Wi ^ -} 

(where A = {j,k} and F = {put: val — > com, get: val — > com}) 

c = let i=new in (il:=5; put(z); get(j)) 

Figure 9: Two Implementations of a Buffer and a Simple Client 

We now sketch a consequence of this result; for brevity we allow ourselves to be a bit 
informal. Let r be the following simulation relation between the two implementations: 

def 

r = {(/io,/ii) I 3i E Loc.3n €z Int. 3vo,vi,v'q,v'^ £ Val. 

i ^ I A ho = [c~*i,VQ] • [i-^v'Q,n] A hi = [c^i,vi] • [i^v'i, —n] }. 

Then one can verify that the antecedent of the implication in (j9.ip holds, and thus conclude 
that 

[eq([5- ^ -Ip) * r]{bo, 6i)[eq([5r ^ * r] 
holds. Take {ho, hi) G eq{lg -Jp) * r, and denote the result of running bo on ho by 
/iq, and the result of running hi on hi by h'^. We then conclude that /ig will be of the 
form /iqq • h'^^ and that h'l will be of the form h'^Q • h'n with {h'Q-^^, h'^^) € r and with 
{h'oo,h'io) eeq{lg^-jp). 

Thus the relation between the internal resource invariants is maintained and, for the 
visible part, bo and bi both produce the same heap with exactly one cell. 

The next example is a buffer of size one, and it illustrates the ownership transfer. Our 
buffer has operations put and get. Intuitively, put(i) stores the value found at i in the 
buffer, and get(j) retrieves the value stored in the buffer and stores it at j. We assume the 
following abstract specifications of this mutable abstract data type: 

(Vi {i ^ -}put(i){emp}) and (Vj. {j ^ -}get(j){i ^ -}. 

Figure [9] shows two implementations of the buffer and a client, as well as the concrete 
specifications for the implementations and the specification for the client. Note that the 
first implementation just uses one cell for the buffer and that the implementation follows the 
intuitive description given above. The second implementation uses two cells for the buffer. 
The additional cell is used to hold the cell pointed to by i itself. Note that this additional cell 
is transferred from the caller of put2(i), i.e., a client of the buffer. Finally, the specification 
of the client describes the safety property of c, assuming the abstract specification for the 
buffer. 
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Pick p G A;}], and define /o, /i, 50, 5i, co, ci by 

dsf 

fi = Iputjpj], gi = IgetJp^Q, a = [clp,[put^/^,get^g,]. 

Our Abstraction Theorem gives that, for ah r, 

(Vu G Val. [eq(|i *r](/o(u),/i(u))[eq(|emp|p[i^^]) *r]) A 

(iv G Val. [eq(Ii ^ * r]{go{v), gi{v))[eq{lj ^ -Uj^,]) * r]) (9.2) 

[eq(Ii ^ -Ip) *r](co,ci)[eq(|j -Jp) *r]. 

This result implies that the client behaves the same no matter whether we run it with the 
first or second implementation of the buffer. To see this, let I be p{k) and define a simulation 
relation r between the two implementations: 

r =^ {{ho, hi) I 3/' G Loc. 3n, t>o, wi, w'l G Val. 

l^l' A ho = [l^VQ.n] A hi = [l^l',vi] • [l'~^v[,n] }. 

For this relation r, one can verify that the antecedent of the implication in ()9.2p holds, and 
thus conclude that 

[eq([j ^ -Ip) * r](co,ci)[eq([j -]p) * r] 
holds. This quadruple says, in particular, that cq and ci map eq(|j -]p) *r-related heaps 
to eq([j I— > -]p) * r-related heaps, which means that they behave the same for cell j and 
preserve the r relation for the internal resource invariants of the two implementations. 

10. Conclusion and Future Work 

We have succeeded in defining the first relationally parametric model of separation 
logic. The model captures the informal idea that well-specified clients of mutable abstract 
data types should behave parametrically in the internal resource invariants of the abstract 
data type. 

We see our work as a first step towards devising a logic for reasoning about mutable 
abstract data types, similar in spirit to Abadi and Plotkin's logic for parametricity [16\ [6]. 
To this end, we also expect to make use of the ideas of relational separation logic in [21] 
for reasoning about relations between different programs syntactically. The logic should 
include a link between separation logic and relational separation logic so that one could get 
a syntactic representation of the semantic Abstraction Theorem and its corollary presented 
above. 

One can also think of our work as akin to the O'Hearn- Reynolds model for idealized algol 
based on translation into a relationally parametric polymorphic linear lambda calculus [12j. 
In loc. cit. O'Hearn and Reynolds show how to provide a better model of stack variables 
for idealized algol by making a formal connection to parametricity. Here we provide a 
better model for the more unwieldy world of heap storage by making a formal connection 
to parametricity. 

As mentioned in Section [3l the conjunction rule is not sound in our model. This is a 
consequence of our interpretation, which "bakes-in" the frame rule by quantifying over all 
relations r'. Indeed, using the characterization given by Proposition 17. 2^ one sees that for 
the conjunction rule 

([ri](cps(ci),cps(c2))[si] A [r2](cps(ci), cps(c2))[s2]) =^ [n Ar2](cps(ci),cps(c2))[si A S2] 
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to hold, we would need something like (ri A r2) * r = (ri * r) A (r2 * r) to hold. We "bake-in" 
the frame rule in order to get a model that validates a wide range of higher-order frame 
rules and it is known that already for second-order frame rules, the conjunction rule is not 
sound without some restrictions on the predicates involved [H]. We don't know whether it 
is possible to develop a parametric model in which the conjunction rule is sound. 

Future work further includes developing a parametric model for the higher-order version 
of separation logic with explicit quantification over internal resource invariants. Finally, we 
hope that ideas similar to those presented here can be used to develop parametric models 
for other recent approaches to mutable abstract data types (e.g., [2]). 
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